Mitnick In The News

Are things really as bad as the ABC Four Corners’ Cyber War documentary makes out?

The Australian Broadcasting Corporation’s Four Corners' Cyber War program, aired tonight, highlighted the personal, commercial and national threats posed by hackers and a general preparedness on all things cyber security.

The program started by looking at hackers a this year’s DEF CON hacking conference and highlighted just how vulnerable any piece of technology connected to the internet actually is. They proceeded at rapid pace to move from phones, bank accounts and cyber crime to alleged nation state hacking, including the hack of the Australian Bureau of Meteorology, revealed in December of last year.

The first thing to point out is that nothing reported in the program tonight is particularly new. DEF CON has been running since 1993. The types of hacks outlined by the ABC journalist this year at DEF CON have been highlighted for many years now. Kevin Mitnick, interviewed in the program in his current role as a cyber security specialist, was convicted and jailed for his hacking crimes stretching back to the 1980s.

Certainly, things have gotten worse in recent years because of the increasing levels of activities that the general public, organisations and government are carrying out on the internet. There is also a massive cyber crime industry which is estimated to now cost the global economy around US$500 billion a year.

There is also no doubt that state sponsored hacking and full cyber warfare is proceeding unabated.

What is not at all certain, though, is the increasing rhetoric around accusations of Chinese government involvement in hacks that are only stated as “originating” in China.

In the ABC program, a former IT manager of NewSat, a satellite communications company, makes the claim that their network was infiltrated by hackers and that these hackers originated from China and that they were sophisticated and so obviously well funded.

Unfortunately, no evidence is provided to support any of these assertions. Given that the IT manager also stated that their network security was deemed the worst that a government security organisation had ever seen, it is entirely possible that they had been hacked by any number of people.

Contrary to the impression created by the program, NewSat’s main problems were financial, with financial mismanagement and defaulting on payments for the satellite a major cause for the company going into administration. NewSat’s directors are now potentially facing criminal charges around the financial dealings of the company.

It is possible that the company did have technical issues in addition to the financial ones it was going through. But with no evidence provided for NewSat’s breaches, it is very hard to take seriously claims that these hacks were the work of the Chinese Government.

Another focus of the program was around the use of so-called Zero Day) exploits. These threats, are previously unknown vulnerabilities in a product that can be exploited before the manufacturer or developer is aware of them and can issue a patch.

It was a series of Zero Day vulnerabilities identified in Apple’s iPhone operating system recently that caused it to release an immediate update (version 9.3.5) that the media were quick to sensationalise.

The salient point about this vulnerability was that the company that was allegedly behind exploiting it was selling that capability for hundreds of thousands of dollars. It was being used to target specific individuals by their own government. This was not something that was ever likely to be a widespread problem for the general public. The iPhone still remains a generally very secure platform.

What wasn’t mentioned in the documentary was the far more common problems that still exist with the public, organisations and government agencies simply not updating their software and systems regularly and often. It is this fact, combined with the relative ease of phishing attacks by email and text that present the biggest challenges to general cyber security.

Stories like the ABC Four Corners’ report fail to mention the other side of the equation which is that actually, companies have made improvements in recent years in both their attitudes to security and their implementation of this in their products.

Companies like Apple, Google and others are continually building systems that are secure by design. Governments, including Australia’s are increasingly developing their capabilities in the area of cyber security and ensuring that the public and companies are using an increasing array of preventative security strategies.

Whilst cyber security is an ongoing issue, the focus perhaps should emphasise what is actually being done to keep systems safe rather than continually focusing on bleak outlooks that are increasingly the norm.